From cda2fe768bc1d7ae5cd24588557693adc0c83213 Mon Sep 17 00:00:00 2001
From: Berkeley Martinez <Berkeley@robotie.com>
Date: Mon, 2 May 2016 21:11:49 -0700
Subject: [PATCH] Remove csrf from api calls

---
 server/middlewares/csurf.js         | 9 ++++++++-
 server/middlewares/global-locals.js | 2 +-
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/server/middlewares/csurf.js b/server/middlewares/csurf.js
index 737a602a0f..02c19e301e 100644
--- a/server/middlewares/csurf.js
+++ b/server/middlewares/csurf.js
@@ -1,5 +1,12 @@
 import csurf from 'csurf';
 
 export default function() {
-  return csurf({ cookie: true });
+  const protection = csurf({ cookie: true });
+  return function csrf(req, res, next) {
+    const path = req.path.split('/')[1];
+    if (/api/.test(path)) {
+      return next();
+    }
+    return protection(req, res, next);
+  };
 }
diff --git a/server/middlewares/global-locals.js b/server/middlewares/global-locals.js
index a018a3e46a..fbd0680731 100644
--- a/server/middlewares/global-locals.js
+++ b/server/middlewares/global-locals.js
@@ -2,7 +2,7 @@ export default function globalLocals() {
   return function(req, res, next) {
     // Make user object available in templates.
     res.locals.user = req.user;
-    res.locals._csrf = req.csrfToken();
+    res.locals._csrf = req.csrfToken ? req.csrfToken() : null;
     next();
   };
 }